Class: ActiveCanvas::ContentSanitizer

Inherits:

Object

Object
ActiveCanvas::ContentSanitizer

show all

Defined in:: app/services/active_canvas/content_sanitizer.rb

Defined Under Namespace

Classes: PermissiveAttributeScrubber

Class Method Summary collapse

.sanitize_css(css) ⇒ Object

Sanitize CSS content (basic XSS protection).
.sanitize_html(content) ⇒ Object

Sanitize HTML content using Rails’ built-in sanitizer.
.sanitize_js(js) ⇒ Object

Sanitize JavaScript (very restrictive - mainly for tracking scripts).

Class Method Details

.sanitize_css(css) ⇒ `Object`

Sanitize CSS content (basic XSS protection)

# File 'app/services/active_canvas/content_sanitizer.rb', line 24

def sanitize_css(css)
  return css if css.blank?
  return css unless ActiveCanvas.config.sanitize_content

  # Remove potentially dangerous CSS patterns
  sanitized = css.dup

  # Remove JavaScript URLs
  sanitized.gsub!(/url\s*\(\s*["']?\s*javascript:/i, "url(blocked:")

  # Remove expression() (IE-specific XSS vector)
  sanitized.gsub!(/expression\s*\(/i, "blocked(")

  # Remove behavior: (IE-specific XSS vector)
  sanitized.gsub!(/behavior\s*:/i, "blocked:")

  # Remove -moz-binding (Firefox XSS vector)
  sanitized.gsub!(/-moz-binding\s*:/i, "blocked:")

  # Remove @import with javascript
  sanitized.gsub!(/@import\s+["']?\s*javascript:/i, "/* blocked */")

  sanitized
end

.sanitize_html(content) ⇒ `Object`

Sanitize HTML content using Rails’ built-in sanitizer

# File 'app/services/active_canvas/content_sanitizer.rb', line 5

def sanitize_html(content)
  return content if content.blank?
  return content unless ActiveCanvas.config.sanitize_content

  config = ActiveCanvas.config

  # Use Rails' SafeListSanitizer with our allowed tags/attributes
  sanitizer = Rails::HTML5::SafeListSanitizer.new

  # Build scrubber for data-* and aria-* attributes
  scrubber = PermissiveAttributeScrubber.new(
    allowed_tags: config.allowed_html_tags,
    allowed_attributes: config.allowed_html_attributes
  )

  sanitizer.sanitize(content, scrubber: scrubber)
end

.sanitize_js(js) ⇒ `Object`

Sanitize JavaScript (very restrictive - mainly for tracking scripts)

# File 'app/services/active_canvas/content_sanitizer.rb', line 50

def sanitize_js(js)
  return js if js.blank?

  # For now, we just return the JS as-is
  # Users who enable JS are accepting responsibility
  # In the future, could add CSP nonce support
  js
end

Class: ActiveCanvas::ContentSanitizer

Defined Under Namespace

Class Method Summary collapse

Class Method Details

.sanitize_css(css) ⇒ Object

.sanitize_html(content) ⇒ Object

.sanitize_js(js) ⇒ Object

.sanitize_css(css) ⇒ `Object`

.sanitize_html(content) ⇒ `Object`

.sanitize_js(js) ⇒ `Object`